It’s Time to Stop Comparing Exploits to Physical Weapons

Analogies may seem helpful, but often they are inaccurate, and only lead to a misinformed debate.

Digital security is full of bad analogies; it’s a complex, quickly changing field. But as hacking tools continue to intertwine with significant stories of conflict, politics, and justice, one analogy in particular lingers: the comparison of computer exploits to physical weapons.

The image of exploits being something like digital missiles may be pretty easy to grasp and carry emotional weight, but using it in many contexts does a disservice to the public and leads to a misinformed debate.

“Comparing military weapon systems to software exploits by slapping a nonsensical ‘cyber-‘ in front of some metal gear is intellectually lazy and misleading,” Thomas Rid, professor of security studies at King’s College London, told Motherboard in an email.

“It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies—yet refused to respond, or even to acknowledge that the missiles were built for American use,” the New York Times article reads, referring to exploits likely stolen from the NSA that NotPetya took advantage of called ETERNALBLUE and ETERNALROMANCE.

But the analogy falls apart even when just addressing how the NSA allegedly responded to the exploits’ distribution. Before a group of self-described hackers called The Shadow Brokers released the exploits online for anyone to download, the NSA tipped-off Microsoft, which then issued a patch to fix the underlying vulnerabilities, according to The Washington Post.

If we’re sticking with exploits being like missiles in this case, how does this fit in? The Department of Defense warned the contractor that made the missile the weapons had been stolen, and the company then remotely shut down the missiles’ functionality?

Sure, in some cases that might be possible, but generally the comparison is forced and muddy when confronted with how exploits differ from weapons: the vulnerabilities of exploits can be fixed; users can instantly transfer exploit code in a simple text file; and vulnerabilities can be discovered in widely available commercial software, rather than mostly restricted to the research and development section of a weapon’s manufacturer.

To be clear, a limited set of hacking tools can be considered ‘cyberweapons,’ such as the joint US-Israeli piece of malware Stuxnet, which tampered with Iranian centrifuges and slowed down the country’s nuclear program. But Stuxnet was specifically designed to cause physical destruction to a system, much more akin to a kinetic weapon than the ETERNAL exploits, which could be repurposed for many different things. But, even if something is a cyberweapon, that does not necessarily warrant a comparison with a physical equivalent.

Trying to force these comparisons just becomes unhelpful, with little benefit of doing so.

“Simplistic martial analogies have perennial appeal, of course—they attract lots of amateurs and repel proper experts. So we get a superfluous discussion about analogies instead of much-needed substance,” Rid added.

In a way, the comparisons echo the “horseless carriage,” which was used to describe some of the earliest automobiles. Indeed, we end up with officials trumpeting bizarre “cyberisms” with very little idea of what they actually mean. Last year, Deputy Defense Secretary Robert Work said the US was dropping “cyberbombs” on ISIS.

With these analogies there is a danger that debates can become warped or confused. Topics such as whether deploying exploits is proportionate, or whether using exploits can act as tools of deterrence in conflict cannot be tackled without a proper understanding of what exactly a exploit is, and inaccurate comparisons are not going to further the discussion. In place of nuance we are left with hype and potential fearmongering.

Instead, why not treat computer exploits as something else in their own right, with their own idiosyncrasies, characteristics, and impact on the world? We are at a point in the ubiquity of computers, and the vulnerabilities that come with them, where the public, policy makers, and journalists need to grasp these concepts properly, rather than haphazardly trying to link exploits to things of the past.